setTimeout(() => {
    Java.perform(function () {

        // === 辅助函数 ===
        function bytesToHex(arr) {
            if (!arr) return "(null)";
            var out = [];
            for (var i = 0; i < arr.length; i++) {
                out.push(('0' + (arr[i] & 0xFF).toString(16)).slice(-2));
            }
            return out.join('');
        }
        function safeToString(obj) {
            if (!obj) return "(null)";
            try { return obj.toString(); } catch (e) { return "(err)"; }
        }
        function base64(arr) {
            try {
                return Java.use("android.util.Base64").encodeToString.overload('[B', 'int').call(null, arr, 2);
            } catch (e) {
                // 兼容没有android.util.Base64的场景
                return "(Base64 not available)";
            }
        }

        // === 强力hook PKCS8EncodedKeySpec，dump私钥 ===
        try {
            var PKCS8EncodedKeySpec = Java.use("java.security.spec.PKCS8EncodedKeySpec");
            PKCS8EncodedKeySpec.$init.overload('[B').implementation = function (bArr) {
                console.log(">>> [PKCS8EncodedKeySpec.<init>] 私钥bytes HEX:\n" + bytesToHex(bArr));
                var b64 = base64(bArr);
                console.log(">>> [PKCS8EncodedKeySpec.<init>] 私钥bytes BASE64:\n" + b64);
                return this.$init(bArr);
            }
        } catch (e) {
            console.log("[*] hook PKCS8EncodedKeySpec failed: " + e);
        }

        // === 你原来的hook（保留不变） ===
        try {
            var Security = Java.use("com.zhangyue.iReader.JNI.runtime.Security");
            Security.hash.implementation = function (str) {
                console.log(">>> [Security.hash] 输入 str:", str);
                var ret = this.hash(str);
                console.log(">>> [Security.hash] 输出 BASE64:", ret);
                return ret;
            };
        } catch (e) {
            console.log("[*] hook Security.hash failed: " + e);
        }

        try {
            var JNISecurity = Java.use("com.zhangyue.iReader.JNI.util.JNISecurity");
            JNISecurity.hash.implementation = function (signature, keyFactory, raw) {
                console.log(">>> [JNISecurity.hash] raw 明文 len=" + (raw ? raw.length : -1));
                if (raw) {
                    console.log(">>> [JNISecurity.hash] 明文 HEX:", bytesToHex(raw));
                    try {
                        var asStr = Java.use("java.lang.String").$new(raw, "utf-8");
                        console.log(">>> [JNISecurity.hash] 明文 UTF8:", asStr);
                    } catch (ee) { }
                }
                try {
                    console.log(">>> [JNISecurity.hash] Signature.getAlgorithm: ", signature.getAlgorithm());
                    var provider = signature.getProvider();
                    if (provider) console.log(">>> [JNISecurity.hash] Signature provider: ", provider.getName());
                } catch (e) { }

                var ret = this.hash(signature, keyFactory, raw);

                if (ret) {
                    console.log(">>> [JNISecurity.hash] 输出 signature HEX:", bytesToHex(ret));
                    try {
                        console.log(">>> [JNISecurity.hash] 输出签名 BASE64:", base64(ret));
                    } catch (err) { }
                } else {
                    console.log(">>> [JNISecurity.hash] 输出为 null 或异常。");
                }
                return ret;
            };
        } catch (e) {
            console.log("[*] hook JNISecurity.hash failed: " + e);
        }

        // === 低层追踪 Signature.update 和 sign ===
        try {
            var Signature = Java.use("java.security.Signature");
            Signature.initSign.overload("java.security.PrivateKey").implementation = function (pk) {
                console.log(">>> [Signature.initSign] PrivateKey 类型: " + safeToString(pk));
                return this.initSign(pk);
            };
            Signature.update.overload('[B').implementation = function (b) {
                console.log(">>> [Signature.update] 更新内容 HEX: " + bytesToHex(b));
                try {
                    var asStr = Java.use("java.lang.String").$new(b, "utf-8");
                    console.log(">>> [Signature.update] 更新内容当做UTF8: " + asStr);
                } catch (e) { }
                return this.update(b);
            };
            Signature.sign.overload().implementation = function () {
                var sig = this.sign();
                console.log(">>> [Signature.sign] 生成字节签名 HEX: " + bytesToHex(sig));
                try {
                    console.log(">>> [Signature.sign] 生成 BASE64: " + base64(sig));
                } catch (err) { }
                return sig;
            };
        } catch (e) {
            console.log("[*] hook Signature failed: " + e);
        }

        // 可选：追踪 KeyFactory.generatePrivate
        try {
            var KeyFactory = Java.use("java.security.KeyFactory");
            KeyFactory.generatePrivate.overload("java.security.spec.KeySpec").implementation = function (spec) {
                console.log(">>> [KeyFactory.generatePrivate] 参数: " + safeToString(spec));
                var priv = this.generatePrivate(spec);
                try {
                    console.log(">>> [KeyFactory.generatePrivate] 生成的 PrivateKey: " + safeToString(priv));
                } catch (ee) { }
                return priv;
            };
        } catch (e) {
            console.log("[*] hook KeyFactory.generatePrivate failed: " + e);
        }
    });
}, 1000);